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1  Introduction 

This  document  has  been  written  in  support  of  a  research  project  to  publicly  demonstrate 
and  document  how  a  high  assurance  product  can  be  developed  and  distributed.  A  high 
assurance  product  is  one  for  which  its  users  have  a  high  level  of  confidence  that  its 
security  policies  will  be  enforced  continuously  and  correctly.  Such  products  are 
constructed  so  that  they  can  be  analyzed  for  these  characteristics.  Lifecycle  activities 
ensure  that  the  product  reflects  the  intent  to  ensure  that  the  product  is  trustworthy  and  that 
vigorous  efforts  have  been  made  to  ensure  the  absence  of  unspecified  functionality, 
whether  accidental  or  intentional. 

The  purpose  of  this  plan  is  to  provide  the  personnel  policy  necessary  to  protect  the 
confidentiality  and  integrity  of  a  product  during  the  development  and  maintenance  phases 
of  its  life  cycle.  Integrity  is  the  primary  concern  of  this  plan,  though  confidentiality  is  not 
disregarded. 

2  Policy 

This  section  defines  the  policy  with  respect  to  personnel  security,  as  it  applies  to  the  TCX 
project. 

1.  Specific  qualifications  for  participation  on  a  project  (e.g.,  clearances,  U.S. 
citizenship,  DoD  employee,  etc.)  are  set  by  the  Project  Manager  based  on  the 
needs  of  the  individual  aspects  of  the  project  (such  as  the  projected  customer 
base),  and  not  as  a  requirement  for  high  assurance. 

2.  A  new  user  shall  be  promptly  trained. 

A  new  user  (viz.,  a  new  participant  on  a  project)  shall  be  familiarized  with  the 
security  requirements  of  the  project,  and  trained  on  the  proper  use  of  the 
development  or  CM  systems,  before  access  is  given  to  the  systems.  The  Project 
Manager  shall  maintain  evidence  of  this  training.  Training  shall  consist  of  reading 
the  internal  documents  that  apply  to  the  user's  responsibilities,  as  determined  by 
the  Project  Manager.  For  example,  a  developer  may  be  assigned  to  read  the 
following  documents: 

a.  Physical  Security  Plan 

b.  Personnel  Security  Plan 

c.  Development  Standards 

d.  Configuration  Management  Procedures 

Evidence  of  this  training  shall  include  the  new  user's  signature  indicating  that  the 
documents  have  been  read,  that  they  have  been  understood,  and  that  the  user 
agrees  to  abide  by  them.  (See  Appendix  A). 

3.  Refresher  training  shall  be  performed  annually. 
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All  personnel  involved  on  a  project  shall  have  a  yearly  refresher  of  the  associated 
security  requirements.  The  Project  Manager  shall  maintain  evidence  of  this 
training. 

4.  A  user  shall  be  considered  authorized  to  access  project  systems  after  approval  has 
been  given  by  the  Project  Manager,  and  after  training  has  been  completed. 

5.  An  official  list  of  authorized  users  shall  be  maintained. 

The  Project  Manager  shall  maintain  two  lists  of  authorized  users: 

a.  Those  authorized  to  access  CM  systems.  (See  Appendix  C). 

b.  Those  authorized  to  access  development  systems.  (See  Appendix  B). 

Each  list  shall  show  the  full  name  of  the  user,  the  login  name  of  the  user,  the 
Discretionary  Access  Control  (DAC)  groups  the  user  is  assigned  to,  and  the  date 
approval  was  given. 

6.  No  user  shall  be  allowed  on  both  lists  of  authorized  users. 

The  CM  systems  and  the  development  systems  shall  have  two  separate  system 
administrators. 

7.  A  system  administrator  shall  not  add  or  disable  accounts  without  direction  from 
the  Project  Manager. 

8.  When  a  user  separates  from  a  project,  the  Project  Manager  shall  update  the  list  of 
authorized  users  and  direct  the  system  administrator  to  disable  the  respective 
account. 

9.  The  accounts  of  separated  users  shall  be  disabled  promptly. 

When  informed  by  the  Project  Manager  of  a  separated  user,  the  system 
administrator  for  the  respective  account  shall  promptly  disable  it.  Confirmation  of 
this  action  shall  be  communicated  to  the  Project  Manager,  who  shall  note  the  date 
on  the  list  of  authorized  users. 

10.  If  a  separating  user  is  a  system  administrator,  then  the  administrative  password(s) 
shall  be  changed  immediately. 

If  a  new  system  administrator  has  not  been  identified  at  the  time  of  separation,  the 
Project  Manager  shall  maintain  the  new  password  until  a  replacement  has  been 
appointed. 

11.  When  a  user  separates  from  a  project,  all  evaluation  evidence  and  other  project 
material  maintained  by  that  user  shall  be  turned  over  to  the  Project  Manager. 
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12.  Audits  shall  be  performed  at  least  quarterly. 

The  Project  Manager  is  responsible  for  verifying  that  all  enabled  accounts  of  the 
systems  are  on  the  appropriate  list  of  authorized  users. 

Evidence  of  these  audits,  and  their  results,  shall  be  kept  by  the  Project  Manager. 
(See  Appendix  D). 

3  Responsibilities 

This  section  assigns  responsibility  for  meeting  the  requirements  of  this  document. 

1.  Project  Manager 

The  Project  Manager  is  responsible  for  selecting  personnel  to  work  on  a  project, 
and  ensuring  that  they  are  properly  trained.  The  Project  Manager  must  maintain 
accurate  lists  of  authorized  users,  notifying  the  system  administrators  in  a  timely 
fashion  when  changes  have  been  made,  and  conducting  regular  audits  of  the  lists. 

2.  System  Administrators 

The  system  administrators  must  follow  the  direction  of  the  Project  Manager  by 
either  adding  or  disabling  user  accounts  upon  request. 

3 .  All  Proj  ect  members 

All  members  of  a  project  must  comply  with  the  personnel  policies,  as  stated  in 
this  document.  The  whole  team  can  help  the  Project  Manager,  especially  the 
Configuration  Item  Leaders,  to  keep  track  of  personnel  as  they  leave,  which  can 
be  a  challenge  in  some  environments. 
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Appendix  A  -  Participant  Agreement 

Figure  1  shows  an  example  of  an  agreement  that  a  project  member  is  required  to  sign, 
showing  evidence  of  initial  training  and  a  willingness  to  abide  by  the  policies  set  forth  by 
the  project. 


Participant  Agreement 


I  have  read  the  following  documents,  as  directed  by  the  Project  Manager: 


I  understand  the  above  documents  and  agree  to  abide  by  the  policies  and  procedures 
presented  therein  when  working  on  the _ project. 


Printed  Name  Signature  Date 


Figure  1  Sample  Participant  Agreement 
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Appendix  B  -  Authorized  Users  on  Development  Systems 

Figure  2  shows  a  sample  record  to  keep  track  of  authorized  developers,  per  project. 


FOR  INTERNAL  USE  ONLY  -  DO  NOT  DISTRIBUTE 

AUTHORIZED  USERS 
Development  Environment 


Name 

Username 

Pro 

ects 

Approved  By 

Approved 

XXXjk-mm-dfi 

Account 

Disabled 

yyyy-mm-dd 

EtaiA 

Ec»c 

EiaiD 

EreiE 

EreiF 

Figure  2  Sample  Record  of  Authorized  Users  on  Development  Systems 
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Appendix  C  -  Authorized  Users  on  CM  Systems 

Figure  3  shows  a  sample  record  to  keep  track  of  authorized  users  on  the  CM  system. 


FOR  INTERNAL  USE  ONLY  -  DO  NOT  DISTRIBUTE 

AUTHORIZED  USERS 
CM  System 


Name 

Username 

Groups 

Approved  By 

Approved 

yyyy-mm-d4 

Account 

Disabled 

yyyy.-mm-cjl 

Administrator 

Staff 

Figure  3  Sample  Record  of  Authorized  Users  on  the  CM  System 
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Appendix  D  -  Audit  Records 

Figure  4  shows  a  sample  record  to  provide  evidence  that  audits  were  performed  as 
required. 


Audit  Record 


Description  of  item(s)  under  audit: 


Findings: 


Audited  by: 


Printed  Name  Signature  Date 


Figure  4  Sample  Audit  Record 
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